Since there is no single entity to blame for Drupal or other Open Source CMSes, as opposed to commercial entities like Oracle or Microsoft - there will likely be no fingerpointing in this issue.

But then goes on to say:

Increased awareness of web services security matters is required from the Open Source [communities] so that we will avoid large information leaks in the future.

We beg to differ! Sure, nobody is saying we can't improve on developer awareness, and that's true absolutely across the board in every developer community. But hindsight is always 20/20 and that kind of comment carries an implied "mea culpa" for open source software that, in my opinion, is totally misplaced and maybe even a little dangerous.

And more importantly, it has nothing whatsoever to do with the issue at hand! It really doesn't matter what software is or is not behind the leak. The principle point is this: it is alleged that the affected company, Mossack Fonseca, was running a version of Drupal more than two years old (7.23*) as its customer portal software. More than two years old!

If the Forbes article is correct, and Mossack Fonseca were still running Drupal 7.23 in 2016, this is absolutely unforgiveable from a corporate infosec standpoint. There have been literally dozens of security fixes to Drupal since that date, allegedly none of which had been applied to Mossack Fonseca's (presumably) confidential client portal. The only thing I find astounding is that it took two years for this leak to break.

So let's assume you're just an ordinary person or organisation using Drupal, and information security is important to you. Regardless of what Mossack Fonseca were alleged to have been up to, there are many good reasons you might not want information held on a website to be disclosed. Numerous Code Enigma clients could not afford a leak like this for far more honourable reasons than a political fire-storm - they carry genuine private data, for example medical researchers' contact information, interactions of members of the public with local government, sometimes we relay payment details, and so on. What do you do? Well, you can never entirely protect yourself from a clever and resourceful attacker, but at a bare minimum:

You keep your software up to date!
All of it.
Without exception.
All of the time!

It's not that difficult, and if you do that one thing then it's much, much harder for a Panama Papers-style leak to happen to you. If you don't have the time or the ability to do so yourself, you can get support for Drupal and support for Linux from literally hundreds of companies around the world. Those packages vary hugely from the relatively inexpensive and totally automated services (like Drop Guard) to hands-on Enterprise support packages (such as our own) where professional experts hand-check your updates. We're at the expensive end, but then we're ISO 27001 certified by the British Standards Institute, and you get what you pay for.

§

Finally, you may be wondering what Code Enigma did in the face of Drupageddon? Why wasn't this an issue for our customers?

Well firstly, because we have a member of our security and support team actually on the Drupal security committee, we have our finger on the pulse. He actually respected the embargo on disclosure, even internally, but we were primed and ready. As soon as the vulnerability was announced, we patched all customer systems. And here's the thing:

We have customers who pay us for security patching and those that don't. But Drupageddon was so serious that in the interests of good 'net citizenship, we took the view that regardless of whether or not our customers were paying for security updates, we would patch everyone. In fact, we had that patching done inside an hour. We also blocked all customer automated deployment tools until they could demonstrate to us they had upgraded Drupal core in their version control repositories, so we could be sure customer changes to code could not reinstate the vulnerability.

The TL;DR is we patched EVERYONE, regardless of contract, and we took the responsibility to ensure their systems stayed patched upon ourselves, even when we weren't contractually obliged to.

The only thing left to say is please now go update the software on your computer, on your servers, your websites, your JavaScript libraries, the lot. Now. They are all attack vectors.Stay up to date, stay safe.

We’re Code Enigma

We’re one of the most experienced Drupal teams in Europe, best known for our work on large, technically challenging projects for all kinds of clients.

Our team is passionate about Drupal and open source software. Our whole company spends at least four weeks per year working on Drupal modules or other open source projects. We’re also strongly committed to putting design first, taking a mobile-first, content-out approach to creating websites. This ensures that the sites we build combine the power of Drupal with best practice design and development.